b'                                                 OFFICE OF INSPECTOR GENERAL\n                                                                         MEMORANDUM\n\n\n\n\nDATE:          December 2, 2005\n\nTO:            Chairman\n\nFROM:          Inspector General\n\nSUBJECT:       Report on the FY 2004 Audit of Network Infrastructure Controls\n\nThe Office of Inspector General (OIG) has completed an audit of network infrastructure controls.\nA copy of our Audit Report, entitled \xe2\x80\x9cFY 2004 Audit of Network Infrastructure Controls\xe2\x80\x9d (Audit\nReport No. 04-AUD-12-23) is attached. The objective of this audit was to determine the extent\nand adequacy of security controls over the network infrastructure operated and maintained by the\nFederal Communications Commission (FCC). The scope of this audit included the internal\nnetwork infrastructure owned, managed, and/or operated by the FCC.\n\nTo accomplish the objectives of this audit, we contracted with the public accounting firm of\nKPMG, LLP (KPMG). Under our supervision, the KPMG audit team interviewed staff,\nreviewed documentation, and performed other tests deemed necessary. Finally, KPMG\nevaluated the status of technical controls by executing automated tools and manual tests on the\ndevices comprising the FCC\xe2\x80\x99s network infrastructure. These tests included a vulnerability\nassessment to test the security of the FCC\xe2\x80\x99s network assets. KPMG also evaluated the network\ninfrastructure controls at the FCC facility at Gettysburg, PA.\n\nDuring this audit we identified a number of positive security controls in the FCC\xe2\x80\x99s network\ninfrastructure, including:\n\n\xc2\x83   A comprehensive set of configuration standards have been developed and implemented.\n\n\xc2\x83   Network infrastructure components are physically secured.\n\nWhile these positive controls were noted, the audit identified twelve (12) findings, two (2) high\nrisk, eight (8) medium risk and two (2) low risk. Appendix A, Summary of Findings,\nsummarizes these conditions. Appendix B, Detailed Findings and Observations, contains the\ndetailed results of our audit. Appendix C, Acronyms, lists definitions of terms used in the report.\n\nOn September 26, 2005, we provided a draft to the Office of Managing Director (OMD) for\n\x0c\x0c'